CN101253473A - Method for scalarly multiplying points on an elliptic curve - Google Patents

Method for scalarly multiplying points on an elliptic curve Download PDF

Info

Publication number
CN101253473A
CN101253473A CNA2006800318338A CN200680031833A CN101253473A CN 101253473 A CN101253473 A CN 101253473A CN A2006800318338 A CNA2006800318338 A CN A2006800318338A CN 200680031833 A CN200680031833 A CN 200680031833A CN 101253473 A CN101253473 A CN 101253473A
Authority
CN
China
Prior art keywords
scalar multiplication
progression
characteristic number
prime number
polynomial
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2006800318338A
Other languages
Chinese (zh)
Inventor
B·迈耶
A·卡格尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Siemens AG
Original Assignee
Siemens AG
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Siemens AG filed Critical Siemens AG
Publication of CN101253473A publication Critical patent/CN101253473A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F7/00Methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F7/60Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers
    • G06F7/72Methods or arrangements for performing computations using a digital non-denominational number representation, i.e. number representation without radix; Computing devices using combinations of denominational and non-denominational quantity representations, e.g. using difunction pulse trains, STEELE computers, phase computers using residue arithmetic
    • G06F7/724Finite field arithmetic
    • G06F7/725Finite field arithmetic over elliptic curves
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2207/00Indexing scheme relating to methods or arrangements for processing data by operating upon the order or content of the data handled
    • G06F2207/72Indexing scheme relating to groups G06F7/72 - G06F7/729
    • G06F2207/7214Calculation via prime subfield, i.e. the subfield being GF(p) with p an integer prime > 3; e.g. GF(p**k) via GF(p)

Abstract

The invention relates to a method for scalarly multiplying points on an elliptic curve by a finite expandable field K of a first field Fp of a p>3 characteristic, wherein said characteristic p has low Hamming weight and the expandable field has a polynom F(X) = X<d>-2 of order d in the polynomial representation thereof.

Description

Be used for the point on the elliptic arc is carried out the method for scalar multiplication
Technical field
The present invention relates to a kind of method that is used for the point on the elliptic arc is carried out scalar multiplication (Skalarmultiplikation), especially the elliptic arc on the final expanded body K of prime number body (Primk  rper) Fp, wherein characteristic number p>3.
Background technology
In cryptographic technique, symmetry approach is different with asymmetric methods.Symmetry approach only uses a privacy key, not only is used for encrypting but also be used for deciphering.This key must be distributed to two communication users by safe lane.In asymmetric methods, use two keys, a public keys, a private cipher key.Public keys can be distributed to all users and the not security of entail dangers to exchanges data.Therefore key change is unlike in asymmetric methods in the symmetry approach and can goes wrong.The shortcoming of asymmetric methods is that it is than slow hundreds and thousands of times of corresponding symmetry approach.
Elliptic arc has been used for asymmet-ric encryption method always since 1985.Major advantage based on the encryption method of elliptic arc is to compare with additive method such as RSA and can use littler key, but still can reach identical security level.The security that 160 key length opposing is attacked is identical with the security of 1024 keys in the RSA method.To each of key, the elliptic arc encryption method all provides at present the highest security in all known methods.Therefore the elliptic arc encryption method is particularly suitable for having extremely band-limited channel.Shortcoming is that the calculating of encryption and decryption is more bothersome than additive method.Therefore in order in cryptographic methods, to use, importantly select the constant of cryptographic system best.
Suppose that K is the final body of characteristic number p>3, and a, b ∈ K.Elliptic arc on the body K is equation y 2=x 3+ ax+b and 4a 3+ 27b 2≠ 0 null value set.Elliptic arc is the additivity group introducing under the situation of non-final remote spots as neutral element.Suppose that G  E is the child group with first rank.Each non-trivial point P ∈ G is the generator of P then.Therefore each some Q ∈ G is the Q=sP as a result of scalar multiplication, wherein s ∈ 0 ..., ord (P)-1}.If scalar s is a positive integer, then this scalar multiplication is s the repeated addition of a some P self.
Scalar multiplication is mathematical one-way function for the arc with particular characteristics at present.It can calculate with polynomial time, still can only put upside down according to present prior art to be the exponential time.Scalar multiplication is put upside down elliptic arc be also referred to as discrete logarithm problem (ECDLP), and be based on the Fundamentals of Mathematics of the cryptographic system of elliptic arc.At present known being used for is being applicable to that the method for calculating discrete logarithm on the elliptic arc of encryption has complexity O (2 0.5n), wherein n is the scale-of-two length of the progression of G  E.In order to satisfy current safety requirements, at least one long n>160 is selected in suggestion.
The scalar multiplication of a point P usually the point by elliptic arc addition and double to carry out.Addition and the computation rule that doubles are made up of the element computing to the element of body K.In order to carry out this scalar multiplication expeditiously, need the optimization arithmetical operation among the body K.
Greatest factor when selecting basic body K is the architecture of the hardware platform that provided.If on hardware platform, provide long number arithmetical operation and integrated coprocessor, then can be that body K adopts prime number body (Primkoerper) to accelerate the arithmetical operation among the body K.Chip card with coprocessor and long number arithmetical operation for example can be handled the elliptic arc with the long prime number from 160 to 600 in position very expeditiously.
On the contrary, in the hardware environment that does not have the dedicated computing device, only be 8 or 16 and the embedded system that does not have coprocessor as highway width, the long number arithmetical operation must could be carried out by corresponding software instruction.Therefore cryptographic methods must be realized with software fully, and is difficult to or needs a lot of experiences to optimize.
This efficient that is used for the software solution of scalar multiplication can significantly improve when the optimization that is provided by hardware may obtain utilizing, addition and multiplying each other in the time of SSE2 unit that the described optimization that is provided by hardware may for example be Pentium 4 processors or signal processor.
Select the alternative of prime number body to be, can select prime number body F for body K pExpanded body.Only be 20 to 30 and have the polynomial less prime number p that irreducible progression is d by scale-of-two length, can construct littler body F pThe element of volume of expanded body is that coefficient also is from body F at this p, be polynomial polynomial expression.In this way, can reach bigger number of significant digit though prime number p is less, this figure place can realize sufficiently high security like this.Therefore polynomial arithmetic computing of the present invention can be complementary with the highway width of each processor, can use and not need the long number arithmetical operation best thereby the arithmetical operation that provides in the device is provided throughout.In this polynomial arithmetic computing, as when multiply by two n figure places, carrying out n 2Inferior multiplication.Advantageously in this polynomial arithmetic computing, greatly reduce the total degree of computing by adopting tailor-made algorithm.
In order to turn back to again in the body when two polynomial multiplications, wherein the result of this multiplication is the polynomial expression that progression is 2d-2 to the maximum, must simplify this polynomial expression.On the one hand at final body F pThe middle simplification with p is the polynomial coefficient of mould, and simplifying on the other hand with the polynomial expression that can not reduce is this polynomial expression itself of mould.
By meticulous selection expanded body F p, the cost of two kinds of simplification can be reduced to minimum.At this, characterizing about the maximum progression of characteristic number p>3 and polynomial expansion by two main characteristics is the prime number body F of d-1 pPreferred development body (OEF):
1. prime number p is with p=2 n± c, the wherein pseudo-Mersenne prime number of log (c)<n/2 form existence.This feature makes can simplify body F fast p
2. there is irreducible polynomial expression F (x)=X d-w ∈ F p[X].This characteristic makes can simplify polynomial ring F fast p[X] is because coefficient to be simplified can pass through F pIn multiplication and addition simplify.
Best expanded body can also be Class1 or type 2:
Class1: for prime number p, p=2 n± 1, i.e. c=1.
Type 2: for irreducible polynomial expression F (X), F (x)=X d-2, i.e. w=2.
Can prove that from mathematics best expanded body is Class1 or type 2, but can not have two characteristics simultaneously.The best expanded body of Class1 make can high-level efficiency at prime number body F pIn carry out arithmetical operation, the best expanded body of type 2 then can be simplified polynomial ring F efficiently p[X].All can not infer in both cases, simplify F pOr simplification polynomial ring F pMust use prime number body F in the process of [X] pElement carry out multiplication.
If body K is prime number body F p, then can accelerate to simplify prime number body F by selecting special prime number p pThe product of element.The needed operation times of multiplication not only depends on the figure place of two factors, also depends on Hamming (Hamming) weighting of the expression formula of the factor.The Hamming weighting meaning of number Z is the number that is set of Z.11101 Hamming weighting for example is 4.By the expression formula of meticulous selection number, can save the calculation operations number of times when two numbers multiply each other: several 63 binary mode is an expression formula 111111, and wherein Hamming weighting is 6.Power is 2 multiplication by realizing to shifting left, thereby needs 5 shift operations and 5 additions in this case altogether.But several 63 also can be expressed as 2 6-1.The Hamming weighting of this number only is 2 in this expression formula, thus can with 6 bits to shifting left and subtraction carries out and 63 multiplication.In contrast, when multiplying each other, though less twice shift operation and the sub-addition of also needing of figure place with several 10.Therefore the expense of a multiplication depends on its Hamming weighting strongly.National Institute of Standards and Technology (NIST, USA) on the prime number body of Tui Jianing elliptic arc tabulation in, notice that it is 3 expression formula p=2 that prime number has Hamming weighting n± 2 m± 1, realized thus simplifying efficiently.
Irreducible polynomial expression X d-2 just simplify the form with the best.This polynomial expression only comprises two, X dWith a constant additive factor.This factor 2 also is optimal selection because the coefficient that will simplify only need move one just can with 2 multiply each other.Expression formula p=2 nPrime number in ± 1 is best with regard to simplifying equally, because only exist and 2 nAn addition term.Unfortunately these two types can't combination with one another, thereby when selecting expanded body, always need the balance expense.
The coefficient a and the b of the elliptic arc by expanded body definition generally are polynomial expressions.For the Koblitz arc, a and b are arranged in element body and are that progression is 0 polynomial expression.Give power to being positioned at point on this arc, this point can be mapped as identical arc again based on the same form of Frobenius in final body into p.If a and b are polynomial expressions, then this point is mapped to another arc., in ring of endomorphisms, promptly can give expression to and relate to the endomorphic whole scalars of Frobenius in the Frobenius endomorphism on the elliptic arc, obtain scalar multiplication method very fast thus for the Koblitz arc.
Summary of the invention
The technical problem to be solved in the present invention is, realizes the scalar multiplication of the point of elliptic arc on the standard processor that does not have additional coprocessor efficiently by the final expanded body of characteristic number p>3 with software.
This technical matters is by a kind of prime number body F that is used for by characteristic number p>3 pFinal expanded body K the method that the point on the elliptic arc carries out scalar multiplication is solved, wherein this scalar multiplication is being used for producing signature to message encryption, to decrypt messages, by message or message is being carried out carry out in the cryptographic algorithm that signature verification calculates, and characteristic number p has Hamming weighting≤4, and expanded body K has polynomial expression F (the x)=X that can not reduce that progression is d in polynomial expression formula d-2.Expanded body that thus should the best is the expanded body of type 2, and with regard to polynomial ring F pThe simplification of [X] has best simplification characteristic.Because best Class1 expanded body and type 2 expanded body repel each other, therefore can not be with p=2 nThis prime number of ± 1 formal representation.But in order to realize prime number body F pIn efficient arithmetical operation, require prime number p to have very little Hamming weighting.By the very little Hamming weighting in the binary expression formula, reduced the number of times of computing strongly, accelerated the calculating of scalar multiplication.
According to preferred embodiment, it is 3 Hamming weighting that described characteristic number p has.For the best expanded body that obtains Class1 less than 3 Hamming weighting.But owing to selected the best expanded body of type 2, so Hamming weighting can not be less than 3.If Hamming weighting is 4 or bigger, then obtain in addition that efficient to the algorithm of scalar multiplication exerts an influence and.
According to preferred embodiment, select characteristic number like this, make p=2 n± 2 m± 1, wherein n and m are natural numbers.If select characteristic number with this form, then the Hamming weighting of characteristic number is 3.All computings can be by the bit position displacement and addition or subtraction realize efficiently.
According to preferred embodiment, described irreducible polynomial progression d is a prime number.If d is an even number, then exists and to simplify this polynomial binomial that can not reduce.If progression d is a prime number, then can prevent known attack, this attack may occur when progression is non-prime number.
According to preferred embodiment, pass through y 2=x 3+ ax+b and 4a 3+ 27b 2≠ 0 provides elliptic arc.This can not limit this method and be used for other arc.The condition of coefficient a and b must be met, and elliptic arc does not have the odd number point thus, does not use otherwise just be suitable for password.
According to preferred embodiment, elliptic arc is the Koblitz arc.The Koblitz arc allows by body F pOn the Frobenius endomorphism realize scalar multiplication fast.
According to preferred embodiment, described scalar multiplication is carried out in the power series of scalar are expressed by the Frobenius endomorphism.Thus scalar multiplication can be used as short scalar multiplication and realize.
According to preferred embodiment, the power of calculated in advance and storage power series.The efficient of scalar multiplication method can further improve thus.
According to preferred embodiment, the processor position of characteristic number p is long and progression d and execution scalar multiplication is complementary.Wide at word is that prime number p can comprise 5 to 6 in 8 the processor, and this can represent the prime number up to 31.In order to realize enough securities, the polynomial progression d that can not reduce must be chosen as at this and be higher than the progression with the long prime number in bigger position.In order to realize having at least 160 body, need progression d=23 or 29.Wide at word is in 16 the processor, and it is long that characteristic number p can have 12 to 13 position, and the polynomial progression that can not reduce thus can be littler, for example d=11.
According to preferred embodiment, select characteristic number p and progression d like this, the feasible arithmetical operation that provides for the highway width of processor can be directly used in scalar multiplication.Can when carrying out multiplying, store intermediate result in this way, and not need to simplify characteristic number p.Do not need to implement the long number arithmetical operation in addition.
According to preferred embodiment, by single-instruction multiple-data stream (SIMD) (Streaming SingleInstruction Multiple Data, SIMD) each arithmetic section of expansion instruction set (SSE) executed in parallel scalar multiplication.By parallel processing and utilize other optimizations that on hardware platform, provide may, can not adopt that coprocessor is just violent to reduce needed computing time.
According to the present invention, said method uses in asymmetric cryptography is used.This application can realize key change, digital signature etc., wherein computing time and the requirement of hardware all is in the acceptable level of user.
Embodiment
Explain the present invention in detail by embodiment below.
In order to accelerate the calculating of scalar multiplication, must optimize an elliptic arc and an arithmetical operation on the best expansion field corresponding to existing hardware platform.This is to realize by the optimization to computing cost, and this computing cost is that the expanded body in the best is necessary when not satisfying the condition of Class1 or type 2.If selected the best expanded body of type 2, the consequent non-optimised form that relates to Class1 just can obtain enough compensation by meticulous selection prime number p.On the contrary,, then mean more computing cost,, and correspondingly have a lot of coefficients when calculating according to different progression d because this polynomial expression is affected more continually if irreducible polynomial expression F (X) is not best.
Therefore, in order to compensate the non-optimised form of the prime number that relates to Class1, select the binary expression formula to have the number of very little Hamming weighting as prime number p.Form is p=2 n± 2 m± 1 prime number has minimum possible Hamming weighting, promptly 3.Additional and item 2 mInfluence computing time easily the polynomial expression unlike non-best the simplification.
Prime number p can also select like this, makes to keep intermediate result as much as possible in register, and needn't simplify prime number p.Can allow additive constant to exist thus and can just not finish because only need simplify once not causing big negative effect on computing time.
In an embodiment, use 32 Pentium 4 processors as target platform with SSE2 unit.In order also to implement, with long being chosen between 20 to 30 in position of prime number p without long number arithmetical operation or coprocessor.This and 160 the position appearance ratio of recommending have reduced 5 to 8 times.
Simplify polynomial expression and be chosen as F (x)=X d-w, d=11 wherein, w=2.Prime number is chosen as p=2 29-2 9+ 1, n=29 wherein, m=9, c=511.Prime number p only have thus 29 the position long.
Simplify the multiplication of needed and c=51 during best expanded body because Hamming weighting is 3 and can be very efficiently with quick computing realization displacement, addition and subtraction by turn in definition.
Can find best expanded body by the present invention, this best expanded body has been unified the advantage of the best expanded body of Class1 and type 2.Prime number body F pThe simplification and the F of product of element pOn the simplification of product of polynomial ring can not adopt the multiplying order of processor to carry out.With additive constant c=± 2 m± 1 multiplication can be realized by a shift operation and subtraction or addition because Hamming weighting is less.The simplification of modulus p can be only realizes by 4 shift operations, twice subtraction and two sub-additions.In addition, in the middle of all of the partial product of the coefficient of operand and do not store with in 64 bit registers, overflowing.Being reduced at when the coefficient that calculates this product finishes of modulus p only carried out once.
By SSE2 (stream SIMD expansion 2) the assembly instruction collection of Intel, can be concurrently by body F in the Pentium4 processor pCalculate the various piece of body arithmetical operation.Single instruction multiple data (SIMD) notion and 128 bit registers allow to calculate simultaneously two branch products, as what show in the program segment below.
Movd xmm0, [edi]; A is counted in load operation
Punpcklqdq xmm0, xmm0; Operand a is doubled
Movdqu xmm6, [esi]; B and c are counted in load operation
Pmuludq xmm6, xmm0; Calculate a * b and a * c
Paddq xmm1, xmm6; Results added with a * b and a * c and front
The utilization of following procedure section has the expression formula p=2 of very little Hamming weighting 29-2 9+ 1, to simplify two intermediate results simultaneously:
Movdqa xmm7, xmm1; Cover we two lower 29
pand?xmm1,[mask]
Psrlq xmm7,29; With 29 higher right shifts
Psubq xmm1, xmm7; Subtract each other
Psllq xmm7,9; With higher 9 to shifting left
Paddq xmm1, xmm7; Addition
Movdqa xmm6, xmm1; Repeat to simplify step
pand?xmm1,[mask]
psrlq?xmm6,29
psubq?xmm1,xmm6
psllq?xmm6,9
paddq?xmm1,xmm6
mask?dd?0x1fffffff,0x00000000,0x1fffffff,0x00000000
By the SSE2 instruction that is used for 4 double words, even can be at F pIn addition and calculate simultaneously during subtraction and simplify 4 coefficients.
As elliptic arc, selecting to have with p is the Koblitz arc y of mould 2=x 3+ ax+b, parameter a=468383287 wherein, b=63579974.Coefficient a and b obtain at random, and progression is 0, thereby are that the power that a point is given to p can be mapped as same arc again with this point.Can be the Frobenius of scalar multiplication method employing very fast endomorphism in this way.In order further to accelerate computing, needed for this reason several 2 power will calculate and be stored in the form in advance.
Best expanded body can select to be used to have the hardware platform of other highway width similarly.Prime number p selects like this, makes the best that obtains type 2 on the one hand simplify polynomial expression, i.e. X d-2, prime number p has minimum Hamming weighting on the other hand, thus in the binary expression formula, have the least possible and.For 16 processor, prime number p for example have 11 or 13 the position long.
By adopting above-mentioned best expanded body and selecting prime number p meticulously, reduced the computing time of the point on the elliptic arc being calculated scalar multiplication, thereby can carry out the cryptographic methods that uses the elliptic arc on the best expanded body quickly.In addition, can be long and scalable owing to be used for the method for scalar multiplication by the position of corresponding selection prime number, and can mate with different processor bus width thus, so this method can be used for different hardware platforms.Especially do not have long number to count or the hardware platform of coprocessor in, can be with the asymmetric methods that adopts computing time seldom based on elliptic arc.

Claims (13)

1. prime number body F who is used for by characteristic number p>3 pFinal expanded body K the point on the elliptic arc is carried out the method for scalar multiplication, wherein this scalar multiplication is characterized in that being used for producing signature to message encryption, to decrypt messages, by message or message being carried out carry out in the cryptographic algorithm that signature verification calculates,
Characteristic number p has Hamming weighting≤4,
Expanded body K has polynomial expression F (the x)=X that can not reduce that progression is d in polynomial expression formula d-2.
2. method according to claim 1 is characterized in that, it is 3 Hamming weighting that described characteristic number p has.
3. method according to claim 2 is characterized in that, selects characteristic number p=2 n± 2 m± 1, wherein n and m are natural numbers.
4. according to each described method in the claim 1 to 3, it is characterized in that described irreducible polynomial progression d is a prime number.
5. according to each described method in the claim 1 to 4, it is characterized in that described elliptic arc passes through y 2=x 3+ ax+b and 4a 3+ 27b 2≠ 0 provides.
6. method according to claim 5 is characterized in that, described elliptic arc is the Koblitz arc.
7. method according to claim 6 is characterized in that, described scalar multiplication is carried out in the power series of scalar are expressed by the Frobenius endomorphism.
8. method according to claim 7 is characterized in that, the power of calculated in advance and storage power series.
9. according to each described method in the claim 1 to 8, it is characterized in that the processor position of characteristic number p is long and progression d and execution scalar multiplication is complementary.
10. method according to claim 9 is characterized in that, selects characteristic number p and progression d like this, and the feasible arithmetical operation that provides for the highway width of processor can be directly used in scalar multiplication.
11., it is characterized in that according to claim 9 or 10 described methods, select characteristic number p and progression d like this, make all coefficients of intermediate product of the modularization multiplication by expanded body not be stored in the register of processor with not overflowing.
12., it is characterized in that, by each arithmetic section of single-instruction multiple-data stream (SIMD) expansion instruction set executed in parallel scalar multiplication according to one of aforesaid right requirement described method.
13. according to the employing of the described method of one of aforesaid right requirement in asymmetric cryptography is used.
CNA2006800318338A 2005-08-30 2006-07-11 Method for scalarly multiplying points on an elliptic curve Pending CN101253473A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102005041102.9 2005-08-30
DE102005041102A DE102005041102A1 (en) 2005-08-30 2005-08-30 Method for scalar multiplication of points on an elliptic curve

Publications (1)

Publication Number Publication Date
CN101253473A true CN101253473A (en) 2008-08-27

Family

ID=37087755

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2006800318338A Pending CN101253473A (en) 2005-08-30 2006-07-11 Method for scalarly multiplying points on an elliptic curve

Country Status (5)

Country Link
US (1) US20090136025A1 (en)
EP (1) EP1920323A1 (en)
CN (1) CN101253473A (en)
DE (1) DE102005041102A1 (en)
WO (1) WO2007025796A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102150130A (en) * 2008-09-08 2011-08-10 西门子公司 Efficient storage of cryptographic parameters

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101527867B1 (en) * 2007-07-11 2015-06-10 삼성전자주식회사 Method of countering side-channel attacks in elliptic curve cryptosystem
US7991162B2 (en) 2007-09-14 2011-08-02 University Of Ottawa Accelerating scalar multiplication on elliptic curve cryptosystems over prime fields
EP2090978A1 (en) * 2008-02-15 2009-08-19 Thomson Licensing An apparatus and a method for calculating a multiple of a point on an elliptic curve
US8625777B2 (en) * 2008-08-29 2014-01-07 National University Corporation Okayama University Pairing computation device, pairing computation method, and pairing computation program
US8139765B2 (en) * 2008-12-29 2012-03-20 King Fahd University Of Petroleum & Minerals Elliptical polynomial-based message authentication code
US10270598B2 (en) 2016-08-26 2019-04-23 Intel Corporation Secure elliptic curve cryptography instructions
US11646880B2 (en) * 2017-01-18 2023-05-09 Nippon Telegraph And Telephone Corporation Secret computation method, secret computation system, secret computation apparatus, and program
US11303456B2 (en) 2019-02-15 2022-04-12 International Business Machines Corporation Compute digital signature authentication sign instruction
US11075763B2 (en) 2019-02-15 2021-07-27 International Business Machines Corporation Compute digital signature authentication sign with encrypted key instruction
US11108567B2 (en) 2019-02-15 2021-08-31 International Business Machines Corporation Compute digital signature authentication verify instruction

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7069287B2 (en) * 2000-09-19 2006-06-27 Worcester Polytechnic Institute Method for efficient computation of odd characteristic extension fields
GB2389678A (en) * 2002-06-14 2003-12-17 Univ Sheffield Finite field processor reconfigurable for varying sizes of field.
US7680268B2 (en) * 2005-03-15 2010-03-16 Microsoft Corporation Elliptic curve point octupling using single instruction multiple data processing

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102150130A (en) * 2008-09-08 2011-08-10 西门子公司 Efficient storage of cryptographic parameters
US8533490B2 (en) 2008-09-08 2013-09-10 Siemens Aktiengesellschaft Efficient storage of cryptographic parameters
CN102150130B (en) * 2008-09-08 2014-11-19 西门子公司 Efficient storage of cryptographic parameters

Also Published As

Publication number Publication date
US20090136025A1 (en) 2009-05-28
WO2007025796A1 (en) 2007-03-08
EP1920323A1 (en) 2008-05-14
DE102005041102A1 (en) 2007-03-15

Similar Documents

Publication Publication Date Title
Bisheh-Niasar et al. Cryptographic accelerators for digital signature based on Ed25519
CN101253473A (en) Method for scalarly multiplying points on an elliptic curve
Hossain et al. High‐performance elliptic curve cryptography processor over NIST prime fields
Koziel et al. NEON-SIDH: Efficient implementation of supersingular isogeny Diffie-Hellman key exchange protocol on ARM
US9772821B2 (en) Cryptography method comprising an operation of multiplication by a scalar or an exponentiation
Javeed et al. Low latency flexible FPGA implementation of point multiplication on elliptic curves over GF (p)
Estibals Compact hardware for computing the Tate pairing over 128-bit-security supersingular curves
CN107040362A (en) Modular multiplication apparatus and method
US20090086961A1 (en) Montgomery masked modular multiplication process and associated device
KR100442218B1 (en) Power-residue calculating unit using montgomery algorithm
Jalali et al. ARMv8 SIKE: Optimized supersingular isogeny key encapsulation on ARMv8 processors
Shahroodi et al. Low-Latency Double Point Multiplication Architecture Using Differential Addition Chain Over $ GF (2^ m) $
Ghosh et al. BLAKE-512-based 128-bit CCA2 secure timing attack resistant McEliece cryptoprocessor
US11522669B2 (en) Using cryptographic blinding for efficient use of Montgomery multiplication
US20070058800A1 (en) Transition between masked representations of a value during cryptographic calculations
Chen et al. Integer arithmetic over ciphertext and homomorphic data aggregation
Nissim et al. Communication efficient secure linear algebra
Oliveira et al. Software implementation of Koblitz curves over quadratic fields
Naya-Plasencia et al. Practical cryptanalysis of ARMADILLO2
Pandey et al. Improved cryptanalysis of a ElGamal cryptosystem based on matrices over group rings
Zidarič et al. The welch-gong stream cipher-evolutionary path
Wong et al. Performance Evaluation of RSA and NTRU over GPU with Maxwell and Pascal Architecture
Wood et al. Constructing large S-boxes with area minimized implementations
Gutub Fast 160-bits GF (p) elliptic curve crypto hardware of high-radix scalable multipliers
US10318245B2 (en) Device and method for determining an inverse of a value related to a modulus

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C12 Rejection of a patent application after its publication
RJ01 Rejection of invention patent application after publication

Open date: 20080827